Regardless of the mechanics of that attack -- or whether it triggered widespread Internet access slowdowns, which it didn't -- the anti-Spamhaus campaign should serve as fair warning that any business can be a target and thus needs to have a DDoS defense plan in place. "Despite the work that has gone into making the Internet extremely resilient, these attacks underscore the fact that there are still some aspects of it that are relatively fragile," said Andrew Storms, director of security operations for nCircle, via email.

Accordingly, every business should work with its service providers to understand how they handle unfolding DDoS attacks. Also, review your organization's dedicated DDoS mitigation services in case stronger measures are required. "Once an attack like this is underway, the countermeasures take place at the service provider level," noted Tim "TK" Keanini, chief research officer at nCircle. "That's why it's critical for every organization to understand their services providers' DDoS practices. You don't want to start asking about these practices when you have 300 Gbps of traffic knocking at your door."

Beyond crafting response plans, businesses must also lock down the infrastructure attackers use, experts say. In the case of the anti-Spamhaus campaign, attackers used domain name service (DNS) reflection attacks, which take advantage of "misconfigured DNS servers to amplify the power of a much smaller botnet," said Chester Wisniewski, a senior security adviser at Sophos Canada, in a blog post. According to the Open Resolver Project, 25 million open DNS resolvers hosted by service providers across the Internet currently are insecure or misconfigured, posing "a significant threat."

What can you do if you're a regular user of the Internet? Not much, Wisniewski said. But "don't panic," he said. "Your data is safe. You are simply being denied service or experiencing delays."

The message then for anyone who maintains Internet infrastructure is simple: Lock down your DNS repeaters. "If you are an administrator of DNS services, it is critical that you configure your recursive name servers to only reply to your own network," Wisniewski said. "If you must provide public DNS, be sure to apply filtering for abusive queries and ensure the frequency of queries is commensurate with your expected volumes."

CloudFlare has been publicly calling on businesses to lock down their open DNS resolvers to help stem DDoS amplification attacks, which can easily achieve 100 Gbps of throughput.

As of late 2012, CloudFlare reported seeing a single attack that used more than 68,000 DNS servers, while this week's anti-Spamhaus DDoS attacks used more than 30,000 unique DNS resolvers. "We're lucky they used only 30k DNS resolvers," said Eugene Kaspersky, CEO of Kaspersky Lab, on Twitter.

That's because, thanks to the use of DNS responders, attackers could punch well above their weight. "Because the attacker used a DNS amplification, the attacker only needed to control a botnet or cluster of servers to generate 750 Mbps -- which is possible with a small-sized botnet or a handful of AWS [Amazon Web Services] instances," said CloudFlare CEO Matthew Prince in a blog post. "Open DNS resolvers are the scourge of the Internet and these attacks will become more common and large until service providers take serious efforts to close them."

How do DNS amplification attacks work? "The attacks use DNS resolvers that haven't been properly secured in order to 'amplify' the resources of the attacker," according to Prince. "An attacker can achieve more than a 50x amplification, meaning that for every byte they are able to generate themselves they can pummel a victim with 50 bytes of garbage data."

The problem can be mitigated by correctly configuring DNS software such as BIND to restrict how it responds to queries. "Since DNS requests typically are sent over UDP, which, unlike TCP, does not require a handshake, an attacker can spoof a victim's IP address as the source address in a packet and a misconfigured DNS resolver will happily bombard the victim with responses," Prince said.

In February 2013, four months after launching a "name and shame campaign" to drive service providers to deal with the resolver problem, CloudFlare reported a 30% decrease in the number of open resolvers running on providers' networks. But with millions of DNS repeaters still publicly available, don't expect the DNS amplification attacks to abate anytime soon.

I agree that each organization should has its own DDoS protection strategy, but i think Service providers should build such strategy as well to protect their customers (Corporates or individuals), and here is the gap. So, why service providers are not working hard enough to stop DDoS attacks? Basically, because there is a business resulted from such attacks. SPs will make more profit by offering protection services against DDoS, so collaborate with others to remediate the root cause will eliminate that kind of profit.

Published: 2015-03-03Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.

Published: 2015-03-03** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue in customer-controlled software. Notes: none.

How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.